1 / 29

Privacy Updates

Privacy Updates . and the New General Data Protection Regulation (GDPR) Requirements September 25, 2019. Panelists. BigBox’s Dilemna. Q: Should BigBox be concerned about GDPR or other privacy laws?.

jonnie
Download Presentation

Privacy Updates

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Privacy Updates and the New General Data Protection Regulation (GDPR) Requirements September 25, 2019

  2. Panelists

  3. BigBox’s Dilemna

  4. Q: Should BigBox be concerned about GDPR or other privacy laws?

  5. Q: What do privacy laws require of retailers that collect personal information from shoppers via in-store tracking technologies?  It depends on where your stores are located, where the consumers whose information is being collected are located, and what kinds of information you are collecting. Privacy laws vary from jurisdiction to jurisdiction, but generally, they protect “personal information” or “personal data,” which usually means information that can be used to identify a person or a specific device or is tied to a person or specific device. For example, when personal data is collected from consumers in the European Union or by stores located in the EU, as BigBox intends to do, the General Data Protection Regulation (GDPR) will likely apply.

  6. GDPR Imposes many robust requirements on companies that collect personal data, including to: • be transparent and provide consumers with clear notice of their privacy practices; • obtain consent to process personal data in certain instances; • ensure the company has appropriate security measures in place to safeguard the data; and • adopt and adhere to a data retention policy, among other requirements Companies must also provide consumers with certain rights, including: • right to access and correct the information stored about them; • data portability; • erasure (the “right to be forgotten”); • restriction of processing; • to object to processing of one’s personal data; and • “not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects . . . or similarly significant effects”.

  7. U.S. Laws • Federal Laws regulate different types of data, such as: • health information (HIPAA), • financial information (GLBA), and • children’s information (COPPA) • Common to these laws are obligations to: • provide individuals with notice of a company’s privacy practices; • obtain consent for certain information collection, use and disclosure practices; and • safeguard the data using reasonable security measures.

  8. California California recently enacted the California Consumer Privacy Act (CCPA), which becomes enforceable in 2020. Like the GDPR, this law introduces specific consumer rights (including the right to access and request deletion of personal information). Among other requirements, the CCPA also imposes specific obligations on companies that sell consumer personal information. Several other states have introduced privacy legislation in the last year and we expect more will follow.

  9. Q: What if we are just trying to capture aggregate information, not information about any individual customers? If you are just trying to capture aggregate information, such as how many people came to your store, where they spent the most time, how they moved through the store, and the like, then you may not trigger any privacy laws. Every situation is fact specific. 

  10. Q: The retail tracking provider we are considering working with offers our customers the ability to opt out of being tracked. Does that help?   • A: Probably, yes. • However, how does the opt out work? And, how are the customers informed of the choices they have? • Lawfulness, fairness and transparency -What does your privacy notice say? -Is there an in-store mechanism? -Are you honoring the customer’s choices? -Are kids involved?

  11. CCPA and GDPR Opt-Out Compared • Consent: Has the data subject “freely given, specific, informed and unambiguous” consent? • Opt-Out: While “opt-out” rights are not expressly stated, they are in effect since consent can be withdrawn at any time - Silence, pre-ticked boxes or inactivity does not constitute consent • Related rights: - Right to rectification (Article 16) - Right to erasure or “the right to be forgotten” (Article 17) - Right to restrict processing (Article 18) - Right to object to processing (Article 21) • Notification: Before or at collection, individuals must be notified of the categories of personal information that are being collected • Opt-Out: Businesses must enable and comply with a consumer’s request to opt-out (Cal. Civ. Code § 1798.120) - Must include a “Do Not Sell My Personal Information” link in a clear and conspicuous location - Must not request reauthorization for at least 12 months after the person opts-out - Must train employees on handling consumer’s opt- out requests • Related rights: Right to deletion (Cal. Civ. Code § 1798.105)

  12. Children CCPA + COPPA GDPR Parental consent required for children under 16 Member states have the right to lower the age threshold but not lower than 13 Children must receive an age appropriate privacy notice Applies to all processing consent requests • Consent required for children under 16 - Children can consent aged 13-16 - Parental consent required for children under 13 • COPPA – Applies to any websites or other online services directed to children or that knowingly collect personal information from children and must allow parents to: - View the personal information collected about their child and - Delete and correct that information

  13. Q: We are thinking about using facial recognition technology and fingerprint scanners to help identify the people coming into our stores. Does that trigger any special concerns? • A: Yes. in some jurisdictions, capturing any data about a unique individual (even if you don’t know who they are and make no effort to find out who they are) may trigger the application of privacy laws if you use a unique identifier to track them or if the image could be linked to a customer.

  14. Q: We are thinking about using facial recognition technology and fingerprint scanners to help identify the people coming into our stores. Does that trigger any special concerns? • Because biometrics are the most “personal” of personally identifiable information, several states (currently Illinois, Washington, and Texas, with other states considering similar legislation) regulate their use.

  15. Q: Can you tell me more about the U.S. and EU biometrics laws and how they are enforced? • In Illinois, Washington, and Texas (with other states considering similar legislation), attempting to identify an individual using facial recognition or fingerprint scanning technology will trigger laws governing biometric data. • Similarly, in the EU, biometric data that is used for the purpose of uniquely identifying a person is considered a “special category of personal data” for which processing is prohibited absent explicit consent or unless other exemptions apply.

  16. Q: Can you tell me more about the U.S. and EU biometrics laws and how they are enforced? Illinois Biometric Information Privacy Act • What is Biometric Data? Retina, Iris or Hand Scans; Fingerprints, Voiceprints and Photographs • Passed in 2008; Five Class Actions Filed in 2015 • Requirements: (1) Informed Consent; (2) Limited Disclosure; (3) No Profit; (4) Protect and Retain • Penalty: $1,000 Per Negligent Violation; $5,000 Per Intentional Violation

  17. Q: Can you tell me more about the U.S. and EU biometrics laws and how they are enforced? Texas Business and Commerce Code • What is Biometric Data? Retina, Iris or Hand Scans; Fingerprints, Voiceprints and Photographs • Requirements: (1) Informed Consent; (2) Limited Disclosure; (3) No Profit; (4) Store & Protect; (5) Destroy after one year • No private right of action.

  18. Q: Can you tell me more about the U.S. and EU biometrics laws and how they are enforced? Washington House Bill 1493 • What is Biometric Data? Retina, Iris or Hand Scans; Fingerprints, Voiceprints and Photographs • Signed into law on in 2017 • Prohibits anyone from “enrolling a biometric identifier in a database for commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.” • No private right of action.

  19. Q: We are thinking about using facial recognition technology and fingerprint scanners to help identify the people coming into our stores. Does that trigger any special concerns? • Key Take-Aways: • Be mindful of current and emerging U.S. and EU laws and regulations. • Make sure your Privacy Policy addresses the collection and use of biometric data. • Obtain informed consent before collecting or using any biometric data.

  20. Q: How do companies approach drafting and implementing data privacy policies and thinking about ethical and reputational concerns?  Inclusions in Your Privacy Policy • What information is collected • How it is collected • How its used • In case of a data breach …what? • Disclosures • Your rights • Changes to the policy

  21. What is Collected? Q: How do companies approach drafting and implementing data privacy policies and thinking about ethical and reputational concerns?  • Name, contact info, employer, job title, credit card info, any identifier by which you may be contacted online or offline. • Internet usage, equipment type, IP addresses, info collected via cookies, web beacons, & other tracking technologies.

  22. What else might be Collected? Q: How do companies approach drafting and implementing data privacy policies and thinking about ethical and reputational concerns?  • Records, correspondence, and other forms of communication user submits when contacting company • Info from online forms, and info provided when user signs up for an event or membership program • Info provided when user requests information about services • When user participates in a survey, contest, or responding to an online event evaluations • Details of transactions when user makes an order

  23. Q: How do companies approach drafting and implementing data privacy policies and thinking about ethical and reputational concerns?  How Data is Collected? • Through a website • Through Apps • In email, text, and other electronic messaging between users to the website • When users interact with your Ads & Apps on 3rd party sites that link to your policy • Face to face contact

  24. How Data is Collected? Q: We are thinking about using facial recognition technology to help identify the people coming into the store. Does that trigger any special concern?  • Through the website • Through Apps • In email, text, and other electronic messages between users to your website and you • When users interact with your Ads & Apps on 3rd party sites that link to your Policy • Face to face contact

  25. Why is Data Collected • Enables company to improve its website • Delivers a better and more personalized customer experience • Allows company to estimate audience size and usage patterns • Stores information about users’ preferences • Allows company to customize its website for individual needs • Speeds up user searches • Recognizes user when they return to company’s website.

  26. Other Important Items Q: How do companies approach drafting and implementing data privacy policies and thinking about ethical and reputational concerns?  • Third-party use of cookies and other tracking technologies. • Disclosure of your information. • Choices about how we use and disclose your information. • Tracking technologies and advertising • Disclosure of your information for third-party advertising. Promotional offers from the company. Targeted advertising.

  27. Your Rights Q: How do companies approach drafting and implementing data privacy policies and thinking about ethical and reputational concerns?  • You can access your data • You can correct your data • Request that it be deleted • Broad rights under GDPR & CCPA

  28. Take-Aways Q: How do companies approach drafting and implementing data privacy policies and thinking about ethical and reputational concerns?  • Have a Privacy Policy if you are doing business with anyone in CA or the EU • Periodically review it as the law continuously • Do your due diligence • Be transparent, even if a breach occurs

  29. Q&a

More Related